Wed 06/10/2021 21:27
From: Information Compliance Officer Edinburgh City Council
To: Samantha Kerr
Cc: Julie Frew OSIC
Dear Ms Kerr
I am writing in relation to your application to the Information Commissioner following your recent FOI request to the Council. I have discussed your case with Julie Frew, Freedom of Information Officer at OSIC, and she has asked that I write to you to provide some further clarity around the Council’s position on this matter. I hope that you will find some of this additional information helpful in understanding why we provided the response we did.
I apologise again for the delay in issuing a response to your request. This was a complex request, which involved discussions with various service areas across the organisation. I have taken the opportunity to delve deeper and scrutinise the information requested and that held by the organisation.
From looking at all of the relevant information and in discussion with various colleagues, it is clear that there is not always a specific date in which an agreement was entered into as these are ongoing collaborative relationships. I can confirm that I have not been able to provide any further exact dates for the agreements noted as these are not held by the Council. What I have attempted to do now, as well as seeking out any additional information which was not initially provided, is to provide some context and clarity which I hope will allow you to better understand the Council’s position where an exact date is not held.
I have discussed this request with officers in both Children’s Services and Criminal Justice. In relation to the Council’s information sharing with regard to Adult Protection, as we advised in the review response, the legislation puts a ‘duty to co-operate’ on the Council and Police as part of the Council’s duty to make inquiries where there is a suspicion of risk of harm. We do not hold a written agreement for this and therefore there is no date to provide in this case.
In relation to Criminal Justice I have met with the Community Justice Senior Manager who works directly to Jackie Irving, the Council’s Chief Social Worker and Service director for Children’s Services & Criminal Justice. The Community Justice Senior Manager has responsibility for information sharing with the Police in this area and has checked her own emails and electronic files to identify the current information sharing agreements. She has also approached the appropriate colleagues for additional information. She has confirmed to me that she is the appropriate officer in relation to this matter and that all of the relevant information available has been captured.
In relating to Children’s Services, I have spoken to the Manager of Through Care and After Care and Services for Young People and the Children’s Practice Teams Manager. These officers have responsibility for information sharing with the Police in this area and have checked their own emails and electronic files to identify the current information sharing agreements. They have also approached the appropriate colleagues for additional information. They have confirmed to me that they are the appropriate officers in relation to this matter and that all of the relevant information available has been captured. All of the Senior Managers within Children’s services are aware of this request and of the response provided, and we are therefore satisfied that all of the relevant information available has been captured.
In addition to our review response dated 6 April 2021, I can add the following information:
The Multi-Agency Public Protection Arrangement (MAPPA) where criminal offending data and allegations of criminality of data subjects is shared was entered into in 2007, under Section 10 of the Management of Offenders (Scotland) Act 2005. It has been confirmed with the MAPPA Co-Ordinator that the first MAPPA meeting was on 27th April 2007. I have also attached the first MOU that was signed off in 2009 (email 1).
The Council also entered into a multi-agency arrangement in 2013 with the MARAC pilot, following which MARAC was rolled out across the city. The pilot started on 18 April 2013 (please see email 2). Roll-out began in October 2014. I have attached a copy of the original Information Sharing Protocol, although we do not know when this was signed off and the person responsible no longer works for the Council (please see email 3). I have also attached the most recent ToR which was agreed by Chief Officers on 13 December 2018 (please see email 4). Attached is the DPIA for MARAC and the assessment report but it is confirmed that the updated ISA remains outstanding. COVID has impacted on this being completed (please see email 5).
The Council entered into a multi-agency arrangement in 2013/2014 and Disclosure Scheme for Domestic Abuse Scotland (Police Scotland led) in 2015. The Council attends the Decision Making Forum in respect of the DSDAS. We do not have the exact date as this is a Police led initiative. However I have attached what has recently been drafted and remains in draft, for your information (please see email 6).
In respect of IRDs, I have been advised that there may have been data sharing agreements for IRDs from years ago, however we do not hold exact dates of for these and they have since been replaced by national guidance. The Scottish Government have recently published new guidance in relation to Child Protection (including IRDs) which covers information sharing. You can find it here:
Prior to that, information sharing guidance was covered in the previous Lothian and Borders Child Protection procedures which you can find here:
In response to your view that ISA’s should be dated after 25 May 2018 when GDPR and DPA 2018 came into force, I can confirm I have discussed this matter with the Council’s Information Compliance Manager, who was responsible for the implementation of GDPR across the organisation. She has confirmed that the practice at that time, which was in line with guidance from the UK Information Commissioner, was that information sharing that was lawful under the previous legislation would continue to be so when the new act came into force and that the changes brought about by GDPR would be picked and addressed at the next review of any agreement. As is apparent in some of the information I have attached, the progress of some of the current agreements has been impeded by COVID, however work is continuing and the Council’s Information Governance Team offers support to colleagues to ensure that all agreements entered into are fully compliant.
I hope that this response is helpful, and helps to explain why it has not been possible to provide exact dates as you expected, and demonstrates how we have conducted our searches to determine what information is held by the organisation. I also hope that the supporting information helps to demonstrate the ongoing practices of information sharing the Council has with the Police.
Please note that I have copied this response to Julie Frew,
Information Compliance Officer | Information Governance Unit| Legal & Assurance | Corporate Services | The City of Edinburgh Council | Business Centre 2:1, Waverley Court, 4, East Market Street, Edinburgh, EH8 8BG
Scottish Information Commissioner Decision Notice 199/2021
Information Sharing Agreements: date of
Ms S Kerr
Public authority: City of Edinburgh Council
Case Ref: 202100494
“It is not the role of the Commissioner to comment on whether an authority’s documents are in line with GDPR, or should have been updated since 18 May 2018 – rather, his role in a case such as this is to determine whether the authority holds recorded information, i.e. the dates on which ISAs were agreed.”
Agreed by the requester:
Which does not preclude the issue that the Edinburgh Office of the ICO authorised City of Edinburgh Council to ‘carry on regardless’ so to speak without making provision for their now legislative out of date data sharing agreements.
Hence the purpose of the application to OSIC to obtain a legally binding decision including the narrative that is required to make the actual point in case.